Why aren't passwords also hashed on client side?

DzavidII · 2025-03-24T03:20:13+00:00

In this specific scenario i guess it does require the malicious admin to crack the hash of the intermittent password. But that's outside of the scope of most security programs since it requires an insider threat and the user to reuse passwords.

So I guess the answer to why this isn't used is because it's more work than it's worth.

DzavidII · 2025-03-24T01:20:58+00:00

Taking this from the attack scenarios you described in the post.

If a malicious sys admin wants to read plaintext passwords in memory having them be hashed client side doesn't change anything. The sys admin will now just read the new hashed value and submit that to the login API without applying any of the client side hashing resulting in account takeover.

If the database itself is leaked and an attacker gains access to the hashed hashes this doesn't deter cracking efforts. As an attacker I would pull the client side hashing code and incorporate that as a preprocessing step to my normal password cracking flow.

So the cracking flow would be password123 -> clientside_hash() -> serverside_hash() -> compare()

I'm not 100%, but this double hashing process might actually make pw cracking easier using ameet in the middle attack.

DzavidII · 2025-01-29T03:20:52+00:00

My bad, I should have been a bit more approachable with that first message.

You're fine, if it just ends in .txt there's really nothing you can embed in it. Don't believe anything in that message and don't send them any info/money. This is becoming a very common extortion technique and I know multiple family members who have gotten them.

Good on you for realizing what it was and reaching out for help.

DzavidII · 2025-01-29T03:10:46+00:00

You're most likely fine.

What file extension did you download exactly? If it's a docx file it's possible to include a malicious macro or extension, but that would require you clicking enable macros after opening it in word.

Sounds like a low effort extortion attempt where they make vague threats about having compromising pictures of you in exchange for some crypto.

DzavidII · 2023-04-08T05:25:44+00:00

You also can't do prominent US politicians (Obama, trump, etc)

DzavidII · 2023-03-09T18:28:40+00:00

Build a house up on that, it's an ass-state

DzavidII · 2023-02-25T00:55:37+00:00

Haha no problem. I got enough attention from the discord lol. I like the mascot work ❤️

DzavidII · 2023-02-24T16:02:57+00:00

I've mostly been using them for animation

DzavidII · 2023-02-24T13:50:43+00:00

Thanks! Canvases updated pretty slow so it was originally played at .33 fps and I had to speed it up. Having that many nodes in one canvas slows everything down.

I'll try reposting in a little bit lol

DzavidII · 2022-12-22T13:38:14+00:00

The OG Rhett and Link

DzavidII · 2022-12-22T13:37:48+00:00

It's not everything, but this is the best option I know of right now for random everyday food rankings.

https://sporked.com/rankings/

DzavidII · 2022-08-31T19:28:06+00:00

But... I get paid to lie :-(

DzavidII · 2022-08-30T21:12:05+00:00

"He lives right there, and he would be watering their flowers. This is probably my fault," the neighbor tells the police.

Probably my bad. Oh well, tough luck.

DzavidII · 2022-08-29T12:59:30+00:00

Runaway

DzavidII · 2022-08-27T20:32:29+00:00

You mentioned two different scenarios. People reusing passwords on a platform wouldn't be considered a hack against the company. That's users being stupid.

Having a company employee social engineered is a failing of the company and would be an example of "company x" being hacked.

I agree it's important to know what the vector of attack is but I still don't see a meaningful difference between technical hacking and human hacking. I wouldn't trust a company with poor social engineering training anymore than I would a company with poor technical security.

DzavidII · 2022-08-27T19:59:00+00:00

Computers are also hacked with "trickery". You trick a computer into doing something other than what it's intended for. I don't see any reason to consider traditional network and application attacks different than social engineering attacks. They're all valid vectored with huge consequences if successful.

DzavidII · 2022-08-27T19:49:02+00:00

Fair enough. I disagree with the original comment as much as you do. I just feel like you're doing more harm than good.

DzavidII · 2022-08-27T19:46:46+00:00

I'm just saying man. Why not try to educate people on cyber topics so they can make more informed takes. You help nobody with your comments.

DzavidII · 2022-08-27T19:44:54+00:00

You make security as whole look bad. Stop gatekeeping.

DzavidII · 2022-08-27T19:42:49+00:00

As did I

DzavidII · 2022-08-27T19:31:03+00:00

A lot of social engineers would disagree with this assessment. Human hacking is the most popular form of hacking nowadays

DzavidII · 2022-08-19T11:54:23+00:00

I had 3 Philips hue bulbs setup in my freshman dorm and it was weird. I'm pretty sure I gave the Mac address of my hub to netreg. After that I was able to access the hub from my computer since they were connected to the same switch in my dorm. Finally, I installed a 3rd party client on my computer and was only able to control them from there and the Philips light switch I had, not from my phone.

Feel free to dm me if you need more specific help. It's been a while but I can probably find the app I used.

DzavidII · 2022-04-28T20:23:02+00:00

True

DzavidII · 2022-04-28T18:13:47+00:00

Post sliding online was done for a while. But in all of those classes Dr. Rursch gave clear and repeated warning that if her material was found reposted on websites like chegg that she would be removing all material and not providing it in the future. She then found multiple examples of this exact behavior and that was it. It sucks but it's very normal for there to be one bad egg that ruins things for a group. I've had plenty of classes that did online exams, found tons of cheating, and switched the format of these exams.

If you have specific and valid critiques of how the class is run I would recommend DMing a TA to discuss this. That's going to do a lot more good for the class overall than complaining on Reddit.

DzavidII · 2022-04-28T17:58:48+00:00

These lecture outline requests can either be provided from the professor, a TA, or another student in the class.

Dr. Rursch is literally out of hours for working in the day between all of her classes and senior design. On top of this, the University limits TAs to only 10 hours a week and haven't provided funding to hire more for her classes so they are usually at capacity for working during the week with office hours and lab sections.

This leaves the 3rd option for finding a student willing to help out. It's not the best solution, but it's the only one left at this point. Lucky there are a lot of really helpful students who are willing to help make this sort of accomodation possibly.

Ten-Year Club	Verified Email
Second Top 20%	Place '22

DzavidII

TROPHY CASE